The editor of the Financial Times is one of more than 180 editors, investigative reporters and other journalists around the world who were selected as possible candidates for surveillance by government
clients of the surveillance firm NSO Group, the Guardian can reveal.
Roula Khalaf, who became the first female editor in the newspaperâs history last year, was selected as a potential target throughout 2018.
Her number is included in a leaked list of mobile phone numbers selected for possible surveillance by clients of NSO, an Israeli firm that manufactures spyware and sells it to governments. Its principal product, Pegasus, is capable of compromising a phone, extracting all of the data stored on the device and activating its microphone to eavesdrop on conversations.
NSO has long insisted that the governments to whom it licenses Pegasus are contractually bound to only use the powerful spying tool to fight âserious crime and terrorismâ.
Analysis of the leaked data suggests that Khalafâs phone was selected as a possible target by the United Arab Emirates (UAE). At the time, Khalaf was a deputy editor at the FT. A spokesperson for the Financial Times said: âPress freedoms are vital, and any unlawful state interference or surveillance of journalists is unacceptable.â
The leaked records were initially accessed via Forbidden Stories, a nonprofit journalism organisation, and Amnesty International. They shared access with the Guardian and select other media outlets as part of the Pegasus project, an international investigative collaboration.
What is in the Pegasus project data?
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnestyâs Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSOâs government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the companyâs signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are âtechnically impossibleâ to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity â in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnestyâs detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared âbackup copiesâ of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnestyâs forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Groupâs full statement here. The company has always said it does not have access to the data of its customersâ targets. Through its lawyers, NSO said the consortium had made âincorrect assumptionsâ about which clients use the companyâs technology. It said the 50,000 number was âexaggeratedâ and the list could not be a list of numbers âtargeted by governments using Pegasusâ. The lawyers said NSO had reason to believe the list accessed by the consortium âis not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposesâ. After further questions, the lawyers said the consortium was basing its findings âon misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologiesâ.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons â unrelated to Pegasus â for conducting HLR lookups via an NSO system.
Thank you for your feedback.
A successful Pegasus infection gives NSO customers access to all data stored on the device. An attack on a journalist could expose a reporterâs confidential sources as well as allowing NSOâs government client to read their chat messages, harvest their address book, listen to their calls, track their precise movements and even record their conversations by activating the deviceâs microphone.
Reporters whose numbers appear in the data range from local freelancers, such as the Mexican journalist Cecilio Pineda Birto, who was murdered by attackers armed with guns one month after his phone was selected, through to prize-winning investigative reporters, editors and executives at leading media organisations.
In addition to the UAE, detailed analysis of the data indicates that the governments of Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda and Saudi Arabia all selected journalists as possible surveillance targets.
It is not possible to know conclusively whether phones were successfully infected with Pegasus without analysis of devices by forensic experts. Amnesty Internationalâs Security Lab, which can detect successful Pegasus infections, found traces of the spyware on the mobile phones of 15 journalists who had agreed to have their phones examined after discovering their number was in the leaked data.
Left: Siddharth Varadarajan, co-founder of the Indian news website the Wire. Right: Paranjoy Guha Thakurta, a reporter at the Wire. Composite: thewire.in/c/o Paranjoy Guha Thakurta
Among the journalists confirmed by analysis to have been hacked by Pegasus were Siddharth Varadarajan and Paranjoy Guha Thakurta, a co-founder and a reporter at the Indian news website the Wire. Thakurta was hacked in 2018 while he was working on an investigation into how the Hindu nationalist government of Narendra Modi was using Facebook to systematically spread disinformation among Indian people online.
âYou feel violated,â Varadarajan said of the hacking of his device and the selection of his colleagues for targeting. âThis is an incredible intrusion and journalists should not have to deal with this. Nobody should have to deal with this, but in particular journalists and those who are in some way working for the public interest.â
Omar Radi, a Moroccan freelance journalist and human rights activist who has published repeated exposÃ©s of government corruption, was hacked by an NSO client believed to be the government of Morocco throughout 2018 and 2019.
The Moroccan government has since accused him of being a British spy, in allegations described by Human Rights Watch as âabusing the justice system to silence one of the few remaining critical voices in Moroccan mediaâ.
Saad Bendourou, a deputy head of mission at the Moroccan embassy in France, dismissed the consortiumâs findings.
âWe remind you that the unfounded allegations already published by Amnesty International and relayed by Forbidden Stories have already been the subject of an official response by the Moroccan authorities, who categorically denied such allegations,â he said.
Khadija Ismayilova: âItâs despicable, itâs heinousâ
Ismayilova faced a sustained campaign of harassment and intimidation. Photograph: Aziz Karimov/AP Composite: AP
Khadija Ismayilova, an award-winning Azerbaijani investigative journalist, was also confirmed by technical analysis to have been hacked with Pegasus in 2019. She has spent years reporting on the network of corruption and self-enrichment that surrounds the autocratic president, Ilham Aliyev, who has ruled his country since seizing power in 2003.
She has faced a sustained campaign of harassment and intimidation in retaliation for her work. In 2012 intimate videos of her, filmed using a camera installed in her apartment without her knowledge, were published online shortly after she received a letter warning her to âbehave or be defamedâ.
In 2014 she was arrested on charges of alleged tax evasion, âillegal businessâ offences, and the âincitement to suicideâ of a still-living colleague. She was released from a jail sentence of seven and a half years following an appeal, though remained subject to a travel ban as well as an asset freeze preventing her from accessing her own bank account until recently.
Her phone was almost certainly hacked by agents of the Aliyev regime, according to analysis of the leaked data. The same NSO customer also selected as surveillance candidates
more than 1,000 other Azerbaijani phones, many belonging to Azerbaijani dissidents, as well two of Ismayilovaâs lawyers.
âI feel guilty for the sources who sent me [information], thinking that some encrypted messaging ways are secure. They did it and they didnât know my phone was infected,â Ismayilova said.
âMy family members are also victimised, people Iâve been working with. People who told me their private secrets are victimised. Itâs not just me.â
She said she was angry with those who âproduce all of these tools and sell them to the bad guys like the Aliyev regime. Itâs despicable, itâs heinous â¦ When the video was exposed, it was just me. Now I donât know who else has been exposed because of me, who else is in danger because of me.â
Bradley Hope: âYour phone is a potential surveillance deviceâ
Investigative journalist Bradley Hope. Composite: David Levene/Guardian
Also listed in the leaked records is a UK
phone number belonging to the American investigative journalist Bradley Hope, who lives in London. At the time of his selection he was an employee at the Wall Street Journal.
In spring 2018 Hope and his colleague Tom Wright were fact-checking a draft of a book on 1MDB, a corruption scandal involving the theft of $4.5bn from the state of Malaysia. Central to the allegations were Najib Razak, the countryâs prime minister, and a businessman named Jho Low.
Part of their investigation also concerned the possibility that some of the money had been spent on a luxury yacht, called the Topaz, for Sheikh Mansour, the deputy prime minister of the UAE and a senior member of the Abu Dhabi royal family.
As part of standard journalistic practice, Hope and Wright contacted parties who would be named in their book and offered them an opportunity to comment.
records reveal that around the same time, one of NSOâs government clients â believed to be the UAE â began selecting Hopeâs mobile phone as a possible surveillance candidate.
His number was
included on the list until at least the spring of 2019, during which time Hope and Wright continued to report on new disclosures in the 1MDB corruption investigation. Wrightâs phone number does not appear in the list.
Hope no longer has access to his phone so the Guardian was unable to carry out an analysis, although checks on his current device found no suggestion he was currently being monitored.
âI think probably the number one thing that anyone targeting my phone would want to know is: who are my sources?â Hope said. âThey would want to know who it is that is providing this insight.â
He suggested that one possibility was that the country might have been interested in him because it
was trying to calculate where, if anywhere, he stood in relation to the vast and sprawling regional rivalry between the UAE and its neighbour Qatar.
Hope said he had already adopted various digital security countermeasures, including regularly replacing his phone handset, updating operating systems and not bringing electronic devices into high-risk jurisdictions such as the UAE.
âKnowing that a country can so easily penetrate your phone, it inevitably means that you have to always be thinking about your phone as a potential surveillance device,â he said. âIt will just remind me that at any time I could be carrying around a vulnerability with me.â
Other prominent journalists whose phones were selected by NSOâs clients
include Gregg Carlstrom, a Middle East reporter at the Economist, whose Egyptian and Qatari phone numbers were selected as possible targets by an NSO client, believed to the UAE.
Prominent media executives, including Edwy Plenel, the founder of the French online investigative outlet Mediapart, were also selected.
âThere are not enough safeguardsâ
Carlos MartÃnez de la Serna, a programme director at the nonprofit Committee to Protect Journalists, said the use of spyware to attack journalists and their sources was becoming an increasingly serious issue for his organisation.
âPutting surveillance on a journalist has a very strong, chilling effect. Our devices are key in the reporting activity, and it exposes the journalistâs contacts, it exposes the journalistâs sources, exposes the journalistâs materials,â he said. âIt targets the journalistic activity in a way that almost fully impedes it in situations where journalists are being threatened.â
MartÃnez said there was an urgent need for countries to begin regulating companies exporting surveillance capabilities, particularly where reporters were likely to be at risk. âThere are not enough safeguards about the export of the software,â he said. âSpyware has been sold directly to governments with terrible press freedom records, which is hard to understand.â
NSO Groupâs lawyers said the company âdoes not have access to the data of its customersâ targetsâ. However, they disputed that the numbers in the leak revealed the identities of NSO clientâs surveillance targets, suggesting they may instead be part of a larger list of numbers used by their customers âfor other purposesâ that are legitimate and have nothing to do with surveillance or with NSO.
NSO denied âfalse claimsâ made about the activities of its clients, but said that it would âcontinue to investigate all credible claims of misuse and take appropriate actionâ. It said that in the past it had shut off client access to Pegasus where abuse had been confirmed.
The company added: âNSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.â